Entry...............: XFD infiltrator
Alias(es)...........: -
Virus Strain........: -
Virus detected when.: ?
              where.: ?
Classification......: Boot and file virus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:   BB = 1024 Bytes
                                           "LIBS:xfd/r" = 1148 Bytes
                      2. Length in RAM:                   2048 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: V37+
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: 
                      Self-identification method in memory:
                      - none!

                      System infection:
                      - infects the following function: Exec/DoIO()
                      - creates file LIBS:xfd/r to be activated
                        on xfd.library open!

                      Infection preconditions:
                      - disk inserted and it didn't crash due to lack
                        of free memory :)

Infection Trigger...: - booting from infected disk
                      - having LIBS:xfd/r file installed

Storage media affected:
                      LIBS:xfd, trackdisk bootblocks

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - none

Particularities.....: This strange thing has "poly-engine"!
                      Easy EOR stuff is used. There are four
                      versions of each decoder block and decoder
                      length is static, always 64 bytes long...
                      This bootvirus has alos stealth. I've seen such
                      somewhere, but I'm too Young to remember
                      bootblock viruses anyway :)
                      This small virus has even retro - it mannipulates
                      with negOffset of exec library...
                      The virus doesn't destroy bigger bootblocks
                      or overwrite itself (somekind of selfrecog)...
                      And the most interesting thing is dropping
                      of file with virus to LIBS:xfd/r...
                      I haven't seen such an idea before.

Similarities........: All bootblock viruses from ancient times :)
                      But it isn't another SCA clone - this virus
                      has some very unique features that made it
                      really interesting to me.

Stealth.............: Yes. Triggers installation of virus-file
                      at LIBS:XFD/r...
                      Stealth returns non-installed boot instead
                      of virus.

Armouring...........: Poly-engine described above.

Comments............: Age of this virus is unknown. Seems to be
                      totally harmless and it didn't spread.
                      xxxx said it was on CD from 1999. The virus must
                      be quite new as it aims at harddisk based
                      systems with the xfd drop and due to cache
                      awareness, but it doubt it is newer than 1997
                      when we have seen last boot virus (HNY98)...

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  2002
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 2002
Information Source..: Analyze of virus and source code
Copyright...........: This documentation is public domain

===================== End of XFD infiltrator virus =====================

[Go back]